Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Expose OAuth class through Auth module #8933

Open
1 of 2 tasks
jglesner opened this issue Sep 22, 2021 · 11 comments
Open
1 of 2 tasks

Expose OAuth class through Auth module #8933

jglesner opened this issue Sep 22, 2021 · 11 comments
Labels
Auth Related to Auth components/category feature-request Request a new feature OAuth For issues related to OAuth TypeScript Related to TypeScript issues

Comments

@jglesner
Copy link

jglesner commented Sep 22, 2021

Is this related to a new or existing framework?

No response

Is this related to a new or existing API?

No response

Is this related to another service?

No response

Describe the feature you'd like to request

In issue #8632, I highlighted the fact that there is limited documentation/support to programmatically create a user session using Cognito (id, access, refresh) tokens. In the solution I provided to my own question, I am using a private method in the Auth module: _oAuthHandler. My approach bypasses the compile time checking, since this method is marked private, which isn't a good long-term solution.

I use the _oAuthHandler method for access to the OAuth class, which has the handleAuthResponse method to conveniently process a cognito response url. I use this method to process the cognito response url directly because (1) I retrieve the response url from an in app browser window (which the native urlListener can't do), and (2) there is limited third party package support for deep linking to handle out of app redirects. Therefore, I would like to see (a) the _oAuthHandler method made public, or (b) the OAuth class (or the OAuth.handleAuthResponse method) made accessible through Auth or the aws-amplify package.

While it is possible for someone to write their own RESTful method to process the cognito response url, what's the point of doing that when the AWS Amplify package exists?

Describe the solution you'd like

I would like the _oAuthHandler method to be made public so that I can access the OAuth class without having to bypass the fact tha the _oAuthHandler is currently private, and so that I/others know that this method will be supported into the future.

If _oAuthHandler is made public, you would want to drop the _ at the front. And I would use it like so:

import { Auth } from "aws-amplify";
import * as AmazonCognitoIdentity from "amazon-cognito-identity-js";

// passing a valid cognito response url with authorization_code and state
Auth.oAuthHandler.handleAuthResponse(url).then((resp) => {

    // using the id, access and refresh tokens provided by the AuthHandler:
    const AccessToken = new AmazonCognitoIdentity.CognitoAccessToken({
           AccessToken: resp.accessToken,
    });
                
    const IdToken = new AmazonCognitoIdentity.CognitoIdToken({
          IdToken: resp.idToken,
    });

    const RefreshToken = new AmazonCognitoIdentity.CognitoRefreshToken({
           RefreshToken: resp.refreshToken,
    });

    const sessionData = {
          IdToken: IdToken,
          AccessToken: AccessToken,
          RefreshToken: RefreshToken,
    };

    const session = new AmazonCognitoIdentity.CognitoUserSession(
          sessionData
    );
});

The cognito user session can be picked up by Amplify using the second part of my solution.

Describe alternatives you've considered

The alternative is to make a REST call to the Cognito API, or bypass compile time checking, which isn't a good solution.

Additional context

No response

Is this something that you'd be interested in working on?

  • 👋 I may be able to implement this feature request
  • âš ï¸? This feature might incur a breaking change
@jglesner jglesner added the feature-request Request a new feature label Sep 22, 2021
@aws-eddy aws-eddy added Auth Related to Auth components/category OAuth For issues related to OAuth labels Oct 22, 2021
@SebastianKurp
Copy link

+1 This would be useful in cases where you need to setup SAML federated access

@cxonexus-github-admin
Copy link

+1 Setting up SAML Federated access and am working on this exact issue right now.

@stemwinder
Copy link

+1 SAML federated scenarios

1 similar comment
@bobthebuilder1997
Copy link

+1 SAML federated scenarios

@chanpod
Copy link

chanpod commented Aug 21, 2022

Need for some micro UI SSR scenario's (so basically a federated setup I think)

@abdallahshaban557
Copy link
Contributor

Hi @jglesner - I want to make sure I am understanding your use case properly - you are using federatedSignIn, but then need to create a user session which produces the id, access, refresh token sessions programmatically as part of that flow?

@jglesner
Copy link
Author

jglesner commented Sep 5, 2022

@abdallahshaban557 In my particular case, I'm using federatedSignIn in a pop-up browser window within a JS mobile app, and once complete, I have the Cognito URL. I want public access to the Auth class so that I can process it. So I need a programmatic alternative to urlListener. If Auth.oAuthHandler.handleAuthResponse were public, I can achieve this.

Using the handleAuthResponse is a means to an end -- ultimately I want to create a cognito session recognized by Amplify. One way to do that, is to use the id, access, and refresh tokens I receive from handleAuthResponse to create a valid Amplify session, as I demonstrate in #8632.

@abdallahshaban557
Copy link
Contributor

Hi @jglesner -and for your particular use case using the AWS credentials is not enough to access resources you might need? you need to create a session and retrieve all the tokens you get with userpool sign in?

@jglesner
Copy link
Author

jglesner commented Sep 8, 2022

@abdallahshaban557 no, this isn’t so I can log in. this is a mobile app backed by cognito designed to let users of the app create accounts. As I explained, I don’t need the tokens as much as I need to process a cognito url and create an Amplify cognito user session.

@saconnolly
Copy link

@abdallahshaban557 Has there been any update on this? From what I can see, @jglesner proposed solution is the best option as of now and none of us love using a private function.

In my opinion, the best option would be leaving Amplify out of the solution and adding handleAuthResponse to the amazon-cognito-identity-js package. Currently the amazon-cognito-identity-js doesn't have a documented solution for how to support Authorization Code Flow for OAuth and this seems like the best way to start

@abdallahshaban557
Copy link
Contributor

@saconnolly - we do not have an update yet. Thank you for that suggestion, however we are not making update to the amazon-cognito-identity-js package in the near future.

@tannerabread tannerabread added the TypeScript Related to TypeScript issues label Mar 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Auth Related to Auth components/category feature-request Request a new feature OAuth For issues related to OAuth TypeScript Related to TypeScript issues
Projects
None yet
Development

No branches or pull requests

10 participants